The services that a society requires for its proper functioning are based on critical supply infrastructures such as energy, water, transport, telecommunications, banking and health systems, among others. A cyber-attack on any of these critical infrastructures may result in failure or disruption of their operation. The direct consequences in the environment where the impact occurs are very high. It causes serious economic losses, in addition to endangering human lives or affecting the environment. The importance of safeguarding and protecting this type of infrastructure is paramount. It is essential to take actions that mitigate risk and protect the assets that are part of them and that we call critical infrastructures.
What are critical infrastructures?
A critical infrastructure (official term used by the Administration) is all those physical and information technology facilities, networks, systems and equipment that support the operation of a society’s essential services. Their operation is indispensable and does not allow for alternative solutions. Their disruption or destruction would have a serious impact on the services that society requires for its proper functioning.
For an infrastructure to be determined as critical, the Ministry of Interior, through the Secretary of State for Security, classifies an infrastructure as strategic and, where appropriate, as critical infrastructure or European Critical Infrastructure, as well as including it for the first time in the Catalogue.
In Spain, the National Centre for Critical Infrastructure Protection (CNPIC) was established in 2007. This body is responsible for the promotion, coordination and supervision of all policies and activities related to the protection of Spanish critical infrastructures and cybersecurity. It is responsible for registering, deleting and modifying infrastructures in the Catalogue, as well as determining the criticality of the strategic infrastructures listed therein.
Critical infrastructures are vital and essential. Safeguarding them is critical, and as the White House memorandum dated July 2021 states, “cybersecurity threats to the systems that control and operate the critical infrastructures on which we all depend are among the most important and growing issues facing our nation”. Something totally expandable to any country in the world.
Why attack a critical infrastructure?
Before examining some examples of critical infrastructure cyber-attacks in our history, we should understand why these attacks are so attractive to hackers. Currently, numerous studies have analysed this trend and most of them have determined that 75% of attacks on critical infrastructures are performed with economic motivation (for money), especially when these attacks are carried out against private companies that are going to pay to recover their stability.
Although it is true that those who attack a country’s critical infrastructures are usually, on the one hand, highly technical professionals and, on the other, motivated by much more relevant reasons that often go beyond money itself. Politics and international issues are often behind the most significant cyber-attacks that have had the greatest impact on citizens.
Indeed, “attacking” key infrastructures such as hospitals, railways, energy networks or public administrations themselves can cause significant damage in a matter of seconds. Something that can be politically devastating.
Real threats and attacks on critical infrastructures
In recent years, cyber-attacks on critical infrastructures have proliferated, motivated by the “dependence” of all of them on computer systems and the network (internet) as well as by the power to control them.
As the first cyber-attack on a critical infrastructure, the one suffered by the Illinois water distribution service is generally acknowledged. This attack on a North American supply system was emitted from outside the country, specifically from a server located in Russia. Using the acquired permissions, they were able to remotely disconnect the water distribution service pump, which caused significant damage to everyday life in the area.
Since then, the world has experienced three major cyber-attacks on critical infrastructures that raised fears of the worst and put the scenario in almost a checkmate.
In 2010, the Natanz nuclear power plant (Iran) was affected by the Stuxnet malware, which managed to completely shut down the plant’s operations. The cyber worm damaged the motors of the centrifuges used to enrich uranium. At the time, up to 1,000 centrifuges were temporarily shut down.
Then, in 2015, it was Ukraine that was attacked with a groundbreaking action that caught everyone off guard with a global assault on its power grid. Hackers directly and simultaneously hacked into three energy companies, shutting down and blocking power generation in three regions of the country. Nearly a quarter of a million people were impacted for six hours in the cold winter.
But the latest in this list is the most worrying and has triggered significant action by administrations. In 2017, cyberattackers took remote control of a workstation in Saudi Arabia via malicious software known as Triton (specifically set up for industrial security instrumented systems).
Official protection of critical infrastructures
Following these and other cyber-attacks from around the world, both in public critical infrastructures and in private company environments, the importance of industrial cybersecurity has been recognised. Countries themselves have determined guidelines to be officially implemented to safeguard their own infrastructures and protect them from possible attacks.
Today, hackers around the world design malicious software to damage operational technology, highlighting the importance and necessity of implementing a holistic approach to cybersecurity that encompasses operational processes, technology and the people involved. This is because 90% of attacks are triggered via email, which shows that the target is the weakest link in the chain, having to take responsibility for all of it for its protection.
At this point it is also important to know the differences and details between IT and OT. The most prevailing challenge among cybersecurity professionals lies in a specialisation in these two aspects, something that has a relevant place in the CCI’s Online Professional Master’s Degree in Industrial Cybersecurity (October 2022 edition).
The main function of the IT (Information Technology) environment is the management of the information lifecycle, meaning the generation, processing, transmission and storage of information. Its field of use is becoming increasingly widespread, although it is particularly important in the corporate and business sectors, where security has developed rapidly due to the need to preserve the information handled by highly interconnected systems. This has provided IT systems with very specific and dynamic security features, where updates are constantly made according to the amount of information being processed, considering all kinds of risks, attacks and vulnerabilities.
The introduction of technology in process operation systems has led to the emergence of the OT (Operational Technologies) environment, aimed at more efficient control and management of the various industrial processes. From their origin, such systems were designed for demanding environments, where non-optimal environmental conditions are endured and where permanent operation of normally isolated systems is required to safeguard the continuity of the service they provide.
To address security gaps, IT security elements that cannot be applied to OT environments should be identified and compensatory measures should be defined that are compatible with the functioning and operation of critical infrastructures.
Whichever way one uses, what must be emphasised and considered is that it is essential to consider any potential industrial cybersecurity breaches. Critical infrastructures are vital to daily life and must be protected from any type of attack. In the Master’s Degree in Industrial Cybersecurity, which will start on 17 October 2022, you will discover the most specialised and specific ways to analyse and protect these facilities, as well as other different actions within the field of cybersecurity.